*UPDATE* 06/23/2017 Windows 10 works much the same as is susceptible to this same exact situation. When you setup any Windows machine 8.x or newer the way to prevent this is to NOT allow it to connect to any network during the initial setup. Windows will not then be immediately ties to Live./com.


I have never run Windows 8 and I often cite the horrid interface as the main reason.  There’s another reason as well.  The forced integration with Live.com leads to severe security issues as noted in this article.  I do not know if this forced integration is present inside Windows 10 as well.  I am researching this now.


How Best Buy’s computer-wiping error turned me into an amateur blackhat | Ars Technica

There you go. The latest Windows operating system, and it was compromised by a Web search and some open source software. The whole process took me a few hours. I can only imagine how fast a seasoned hacker could do it. Also, I didn’t change anything about the computer’s hard drive. The default Windows security has improved over the years, but so have the tools to get around it. There are settings that can protect against this type of attack, but those aren’t the default settings.Connected worldI logged in as David and the computer looked like I expected it to—default. I’d already perused through the files, so I knew there wasn’t much to be found there.What I didn’t know was what I’d find online. David’s password didn’t just get me into this computer. It was also his Hotmail and Windows Live passwords. I was now logged in as David on a computer that the world still thought was his.I debated whether I should take my research one step further and log into a website. But I didn’t want to invade David’s privacy any more than I already had—even though I hadn’t gotten much. Up to now, I’d been accessing data on a computer I purchased that was supposedly wiped clean and like new. But going online? That felt a bit too far.For example, if he had logged in to social media sites, a less moral-conscious hacker could do some embarrassing things or some social engineering. Imagine if he’d logged into Amazon or his bank and the financial damage that could have resulted. They would also have access to David’s Windows Live account profile, purchase history, Xbox Live account, OneDrive, and other Microsoft services. And don’t forget that they could also see his Internet history and visit all the sites whose passwords are saved in the browser.I did make one mistake. This was my first time using Windows 8 with a touch screen, and I accidentally launched the Mail app, which automatically logged me in to David’s Outlook mailbox. This is the brass ring for a would-be thief, giving the thief the ability to search which sites David had accounts for. Most people use the same passwords over and over, so that would give a thief a leg up. And if the password didn’t work, the hacker could simply use the forgot password link on the site and it would send an e-mail to—you guessed it—the Outlook e-mail.A thief would have immediately changed David’s e-mail password. Luckily, I’m not a thief, so I quickly exited the app and silently apologized to David.

Source: How Best Buy’s computer-wiping error turned me into an amateur blackhat | Ars Technica